CTDM - Cyber Threats Detection and Mitigation

Cyber threats are increasing at an alarming rate every year and the ability for organizations to defend against fullscaled distributed attacks quickly and effectively is becoming more and more difficult. In order to be safe and secure on today's Internet organizations must learn to become more automated. This means being capable of characterizing attacks across hundreds or even thousands of IP sessions and improving their ability to recognize attack commonalities. With Intrusion Detection Systems and trained network security auditors organizations have a reliable means to prioritize, and isolate only the most critical threats in real time.

Taught by leaders in network defense who work in the computer security industry, this course demonstrates how to defend large scale network infrastructure by building and maintaining intrusion detection systems, network security auditing, and incident response techniques.

Course Details:

70% Labs, 30% Lecture using real-world networking attacks

Laptops are provided during the class

Students receive USB Flash drives of all student labs

Objectives

Attending students will learn:

How to identify the best defensive measures to effectively protect a network

How to setup and maintain an intrusion detection system

How to conceptualize and develop intrusion detection rules and rulesets

How to analyze and respond to intrusion attempts

How to recover from a successful intrusion

Prerequisites

You should possess knowledge of the following:

Attending students should have a thorough understanding of Microsoft Windows

Knowledge of networking protocols and Wireshark filtering is highly recommended

Who Should Attend

Network defenders who want to respond to networking threats

Incident responders who need to quickly address a system security breach

Individuals who need a firm understanding of signature development and SNORT

Outline

Intrusions Defined

Historical Intruders

Jonathan James

Adrian Lamo

Kevin Mitnick

Kevin Poulsen

Robert Tappen Morris

Vladimir Levin

Lloyd

David Smith

Mafia Boy

Mark Abene

Historical Intrusions

Morris Worm

Melissa

VBS Loveletter (I Love You Virus)

Code Red

Nimda

Sql Slammer

MS Blaster

MyDoom

Sasser

Witty

Wireshark Overview

Interface

Capturing

Packet Decoding

Filter Generator

Right Click Contexts

Marking Packets

Statistical Information

Find Features

Stream Reconstruction

TCP Session Initialization Review

Incident Response

Incident Response Plan

Incident Response Team

Incident Response Policy

Types of Incidents

Denial of Service

Malicious Code

Unauthorized Access

Inappropriate Usage

Multiple Component

Incident Response Phases

Preparation

Detection and Analysis

Containment Eradication and Recovery

Post-Incident Activity

NetFlow Analysis

Cisco Netflows Ver 1 Ver 9 (IPFIX)

SFlows

JFlows

Silk and Argus Collectors

Intrusion Detection Systems

Definition

IDS Types

NIDS

HIDS

DIDS

Scanning versus Compromise

IDS Known Good versus Known Bad Approaches

Rule Based IDS

Protocol Analysis IDS

Heuristics Based IDS

Response Actions

Passive Response

Active Response

Inline IDSs

Problems with Active Response

Defense in Depth

Physical Security

Social Engineering

O/S Security

Application Security

Internal Threats

Network Security

False Positives and False Negatives

Intrusion Prevention Systems

Active Response Techniques

Introduction to Snort

Packet Sniffer

Packet Logger

NIDS

Protocol Support

ICMP, UDP, IP

Sourcefire

Packet Decoder

Preprocessors

Detection Engine

Alert and Logging

Detection Rules

Actions after a match

What rules cant do

Fundamentals of a Rule

Rule Header

Rule Body

Rule Actions

Alert, Log, Pass, Activate, Dynamic, Drop, Reject, Sdrop

Rule Body Options

MSG, References, ID, Rev, Classtype, Severity, Content

Content Modifiers

No Case, Rawbytes, Depth, Offset, Distance, Within, Http_uri, etc

Pre-Processors

Frag3, Stream4, Flow, Stream5, Http_Inspect

Output Plug-ins

Alert_Syslog, Alert_Fast, Alert_Full, CSV, Database, etc.

Attack Scenarios

Writing Signatures around many attack scenarios applicable to real world situations

Syslog Tools

Kiwi SyslogD Server Setup

Non Payload Detection Rules

Dsize

Fragoffset

TTl

TOS

ID

IPOpts

Fragbits

Flags

Flow

Flowbits

Seq

Window

Etc.

Post-Detection Rule Options

Logto

Session

Resp

React

Tag

Writing Effective SNORT Rules

Content Matching

Catch Vulnerabilities

Oddities of the protocol

Optimizing IDS Rules

Attack Scenarios

Writing Signatures around many attack scenarios applicable to real world situations

Student Practical Demonstration:

Students are given five attack scenarios in which they need to write SNORT rules to defend against. Once the students have implemented the rules in their SNORT System the instructor will then launch attacks against them to determine if their rules were effective.

Lab Outline

Day 1

Incident Response Team Exercise

Wireshark Display Filtering Exercise Part 1

Wireshark Display Filtering Exercise Part II

Researching an Intrusion in Wireshark Lab 1

Researching an Intrusion in Wireshark Lab 2

Researching an Intrusion in Wireshark Lab 3

Researching an Intrusion in Wireshark Lab 4

Researching an Intrusion in Wireshark Lab 5

Determining if an Intrusion has occurred using Wireshark Part 1

Determining if an Intrusion has occurred using Wireshark Part II

Day 2

NetFlow Analysis using Wireshark

NetFlow Placement Strategies Lab

Intrusion Detection Worksheet

Day 3

Configuration of the SNORT IDS

Writing SNORT Detection Rules

Payload Detection Rules

Content Matching and Modifiers

Attack Scenarios (1-5)

Day 4

Non Payload Detection Rules

Writing DSIZE Alerts

Writing Flags Alerts

Writing Flow Established Alerts Post Detection Actions

Using Pre-Processors in SNORT

Using Output Plugins in SNORT

Attack Scenarios (1-5)

Practice Writing Detection Rules around Real World Threat Scenarios

Day 5 Student Practical Demonstration:

Students are given five attack scenarios in which they need to write SNORT rules to defend against. Once the students have implemented the rules in their SNORT System the instructor will then launch attacks against them to determine if their rules were effective.